Archived

This forum has been archived. Please start a new discussion on GitHub.

Question about behavior of user supplied IceSSL::CertificateVerifier set with setCertificateVerifier

gmh
gmh
in Help Center

With the initialize IceSSL setup of for Ice 3.5.1:

Ice::PluginManagerPtr pluginMgr = m_communicator->getPluginManager( );
Ice::PluginPtr icePlugin = pluginMgr->getPlugin( "IceSSL" );
IceSSL::PluginPtr sslPlugin = IceSSL::PluginPtr::dynamicCast( icePlugin );
sslPlugin->setCertificateVerifier( new MyVerifier() );

and MyVerifier being:

class MyVerifier : IceSSL::CertificateVerifier
{
public:
bool verify( const IceSSL::NativeConnectionInfoPtr& info )
{
LOG(info->remoteAddress);
return false;
}
}

What is the correct usage of:
auto myPrx = MyPrx::checkedCast( base->ice_twoway()->ice_secure( true )->ice_timeout( timeout ) );
for multiple threads?

What we are observering is two threads hitting the code above and then a log is printed with the first address and both threads throw an Ice::Exception. I would expect both address to log.

Comments

  • xdm
    xdm La Coruña, Spain

    Hi Greg,

    If the supplied certificate verifier returns false the connection is expected to end with an exception see.

    It is perfectly safe to call proxy methods from multiple threads concurrently, regarding multiple threads calling verify at the same time this is expected as you are making invocations from multiple threads and the implementation of verify must be threadsafe to handle this, the fact that only the first address is printed could be a problem with LOG implementation, is the implementation of LOG synchronized?

    Hope this make things clear, let's us know if you need further clarifications.

    Cheers,
    José

  • gmh
    gmh

    Thank you for the reply. We believe we are observing different than the expected behavior. Our logger is known to be thread safe, and we have done additional verification with an atomic counter. We will try to extract a small test program from our code and go from there.

  • xdm
    xdm La Coruña, Spain

    You can try to set IceSSL.Trace.Security property to 1 you should see two messages like

    connection rejected by certificate verifier ....

    one for each connection rejected by the verifier see https://github.com/zeroc-ice/ice/blob/3.5/cpp/src/IceSSL/Instance.cpp#L1053

  • gmh
    gmh

    We found the issue. There was a thread safety problem upstream that caused us to attempt to connect to the same remote system twice, and we noticed the problem in the verifier. Thanks for your reply.

Categories